Posts for July 2010

2010-07-07: C TAP Harness 1.4

One of the features of C TAP Harness is to work well with Automake projects that support out-of-tree builds. In that situation, it's common for the test suite files to be scattered between the source tree and the build tree depending on whether they have to be assembled at build time. I found that I was constantly repeating the same block of code to locate a file that could be either in the source or the build tree when writing tests using the TAP library, so I moved that code into the library.

You can get the latest version from the C TAP Harness distribution page.

2010-07-07: rra-c-util 2.5

This release represents the merger and resynchronization of rra-c-util with the portability code in WebAuth, which was the last major software package I maintain that was not using rra-c-util for its portability layer. (There are still other, more minor ones.) It also includes some work for the next release of pam-afs-session, but not yet the general PAM utility layer.

This release contains new Autoconf macros for finding the right flags to build Apache modules, finding the cURL, OpenLDAP, and OpenSSL libraries, and detecting whether the linker supports --version-script. It also improves the Kerberos library probes and allows callers to override the Kerberos probes in various ways, required for these macros to be used in OpenAFS.

The Kerberos portability layer now covers another function (krb5_free_data_contents) and has some improvements for older versions of MIT Kerberos.

The vector library supports new functions to split a string into a vector using any character found in a string of separators as a separator.

Finally, there is a replacement for the Solaris issetuidgid function if it's not found, which falls back on checking geteuid() and geteguid().

You can get the latest version from the rra-c-util distribution page.

2010-07-08: WebAuth 3.7.0

WebAuth 3.7.0 is a major new release of WebAuth with improvements to mod_webauthldap and new support for password change and expired passwords in WebLogin. This is the culmination of quite a bit of work, much of it by Jon Robertson and Ian Ward Comfort, over the past three or four months.

This is also the first release of WebAuth that makes nearly full use of the C TAP Harness test suite driver and rra-c-util C portability layer used by other packages. The test suite has been overhauled to work like the test suites in my other packages, and Jon Robertson wrote a new test suite for the WebLogin server. This should make further development much easier.

The largest user-visible changes for the typical installation are to mod_webauthldap. WebAuthLdapAuthRule now puts more useful information in the environment, and there's a new WebAuthLdapPrivgroup directive that can check the user's membership against multiple privgroups and put the list of memberships into an environment variable. These are both helpful for common authorization problems.

The WebLogin server, as mentioned, now correctly supports password expiration, prompting the user to select a new password immediately if their password has expired and then continuing with normal operations. It can also warn the user if their password is going to expire within a configurable time period. Finally, included in the WebLogin suite is now a separate interface for user-initiated password changes, both for the use of the rest of the WebLogin code and so that users can change their passwords near where they authenticate.

The build system has been significantly overhauled and no longer uses apxs to do the compilation and linking of modules. As a result, the module installation path has changed, but the build system is also much cleaner and doesn't require workarounds for packagers the way that it did before. Many of the configure flags have been changed or updated.

This release also has a substantial overhaul in the WebAuth library, making its use of types more consistent and dropping one unnecessary function. As a result, the library SONAME and ABI have changed and any applications built against the WebAuth library will need to be recompiled.

There are also several other, more minor bug fixes and updates, plus some new installation documentation for Stanford users. See the changes summary for more information.

You can get the latest version either from the official distribution site or from the WebAuth distribution page that I maintain.

2010-07-21: kadmin-remctl 3.1

This release fixes various problems with account creation in the new Heimdal backend introduced in version 3.0 that we had fixed locally but which I'd not yet released. It also introduces three new commands: expiration, which sets the account expiration; pwexpiration, which sets the password expiration; and check_expire, which queries either expiration time.

There are also some improvements for the MIT backend: the password policy to apply can now be specified, rather than just be enabled or disabled, and there is a new create_opts configuration option that allows one to configure additional arguments to pass to addprinc.

Underscores are now allowed in principal names for the examine command.

This package really needs to be rewritten to refactor common code, use a Perl module to speak to the MIT Kerberos kadmin server, and clean up the output format, but that's not that release. I'm hopeful that sometime next calendar year I'll have a chance to that.

You can get the latest version from the kadmin-remctl distribution page.

2010-07-23: WebAuth 3.7.1

After additional security review of the new password change functionality in WebAuth 3.7.0, we've decided that we want to always reprompt the user for their current password on the same screen as the password change, even if they'd just authenticated. This version implements that, with a new configuration option that allows one to select the previous behavior of not reprompting for the password if one prefers. It also improves the error reporting in WebLogin on password change failures.

Also in this release are fixes for build failures on Red Hat, whose apxs doesn't provide all the required compiler flags to build Apache modules, and a fix to a long-standing bug in mod_webkdc. The WebKDC was documented to create single sign-on proxy cookies, by default, with the same expiration time as the underlying Kerberos credential, but the code forced the expiration time to a maximum of ten hours. The code now behaves as documented.

You can get the latest version from the official WebAuth distribution page or from my unofficial distribution page.

2010-07-27: Policy 3.9.1 and Lintian 2.4.3

It's been my intention to mention new Lintian and Debian Policy releases here as well, but I've not been doing very well with that (or with writing things here in general) for the last bit. But I'll see if I can change that up now.

I wanted to get a new Policy release out before DebConf10 and got that out Sunday night. This doesn't have anything as dramatic as the Breaks/Conflicts or architecture wildcard changes in 3.9.0, but there are a lot of interesting improvements and updates. There's even more coming in the next release, which I'm hoping will include a long-overdue improvement to the summary of maintainer scripts.

The Lintian release is mostly just adjustments for the new version of Policy, but I tried to take a quick pass through the open bugs and resolve as many as I could in a day as well. Major projects in Lintian are still on hold right now, since I just don't have enough time given the other things that I'm trying to do.

The Policy changes of note are summarized in the upgrading checklist included in the debian-policy package and were all listed in the debian-devel-announce message.

Last modified and spun 2017-02-20